Top 10 trends to inform your cyber security strategy – part 2

Taken from our new playbook, which highlights the major trends in cyber security, here is the second set of top trends. In case you missed it, here is part 1.

6. The Internet of Things (IoT) will have repercussions across all organisations

The IoT represents a key emerging challenge for all organisations by muddying the boundary between the physical and online worlds. The truth is that many IoT devices were not designed with security in mind. Now that we are connecting everything from refrigerators to hair dryers to the Internet, it’s just a matter of time before a significant breach occurs.

It is likely that organisations will increasingly suffer breaches originating from an insecure IoT device connected to their network. With the IoT, organisations risk creating loopholes in their own firewalls and providing access to devices on their network. The access point might be anything from a security camera or network printer to a climate control device or a remote-controlled light bulb. Once inside a network, hackers can take over connected devices and misuse them as part of a bigger hack or distributed denial-of-service attack.

7. Collaboration is the solution for cyber security in the supply chain

The nature of global supply chains demands that companies exchange sensitive information with multiple partners, some of them several tiers removed from the provider. For this reason, after the organisation’s employees, the supply chain is often the next weakest link, with some large organisations linked to as many as 400,000 suppliers. To highlight the scale of the risk, 63% of breaches can be traced to third-party vendors, according to the Soha Systems survey on third-party risk management.

Not surprisingly, some of the biggest and most complex supply chains have so many external partners that they are unable to assess the risk of doing business with one another. Hackers know that the more interconnections there are, the greater the number of weak links that can be exploited, especially if the supply chain is not properly managed in terms of cyber security.

To remain safe, organisations must ensure confidence in third parties’ data safeguards, security policies and procedures, and determine whether their security posture is sufficient to respond to a data breach or cyber attack.

8. Organisations need to prioritise data integrity

We can expect to see attackers changing their methodology from pure data theft and website hacking to attacking data integrity itself. The goal of cyber attacks is normally to obtain sensitive information that can be held for ransom or sold. But if finding protected data is the goal for attackers, organisations also need to be concerned about the integrity of their data, protect it from unauthorised changes, and make sure they are alerted to any changes as they occur.

An attack on data integrity, in comparison to straightforward data theft, serves to cause long-term harm and damage by getting people to question the integrity of the data. Some possible scenarios to consider:

For healthcare organisations, considering recent medical record breaches, if someone changes medical records, the lives of patients are literally at risk.

For airlines or travel companies, ensuring the integrity of schedules – from traveller information to engine maintenance – is critical to operations and brand reputation.

For financial institutions or public companies, even small changes in data can quickly create big problems, especially if those data are part of regular reporting to shareholders or filings with regulatory agencies.

Evidence of data theft is often provided by tools that monitor the movement of data. One of the many challenges with data integrity attacks – where data does not move – is that the effects may not be detected for years, until there is a reason to question the data.

9. Organisations must get serious about monitoring and managing third-party risk

Third-party risk management is already a key priority for many organisations. Most have established regular assessment protocols but few go beyond a ‘one snapshot at a time’ approach. This emphasis will likely shift to the need for continual monitoring. Security in this new age is about putting in place a sustainable, proactive approach to ensure that your enterprise can adapt intelligently and quickly as new forms of threat are identified.

The frequency and diversity of attacks means that organisations need to be able to establish a baseline view of what “normal” looks like in order to be able to prioritise activities instead of simply reacting to every security event. Furthermore, the increased regulatory focus on vendor risk, coupled with the upcoming deadline of the GDPR, mean that firms won’t be able to continue outsourcing their security risk to third parties.

By adopting an optimised, continual monitoring approach, organisations can move from a compliance-driven prevention focus to one of actively seeking out and countering threats to your most valuable digital resources.

10. The cyber security skills shortage is not getting any better

Cyber security has been identified as the top ‘problematic shortage’ area across all of IT for the past six years in a row. In 2017, 45% of organisations said they had a “problematic shortage” of cyber security skills. Correspondingly, when Information Systems Security Association (ISSA) members were asked to identify the impact of the cyber security skills shortage on their organisations, 35% said a lack of cyber security skills led to an inability to use some security technologies to their full potential, according to the ESG Research Report.

This points to a couple of clear conclusions: the cyber security shortage is not getting any better, and it is having a real and demonstrable impact on organisations.

LESSONS TO BE LEARNED: PART TWO

Taking the time to analyse security functions and privacy requirements across planning, design, development and testing stages pays big dividends in developing a secure IoT application.

Managing the risk of data integrity breaches can be done by applying the security basics rigorously – for example, UK Cyber Essentials.

The scale and diversity of threats, along with stringent regulation, will mean firms will no longer be able to outsource security risk.

Obtaining the right cyber security partner can help overcome skills shortages, so you can be more proactive in your approach to security by benefiting from global best practices and threat intelligence.